10 security tips your account holders need to hear

As you gear up for Cyber Security Awareness Month, consider sharing these ten tips with your account holders

As we move into Cyber Security Awareness Month, we’ve assembled a list of security awareness tips that should be top of mind for account holders doing any type of online banking, or even just accessing the Internet in general. Many of these are likely things you have heard before, but a little repetition can go a long way. As you gear up for Cyber Security Awareness Month, consider sharing these ten tips with your account holders:

  1. Take infections seriously; a virus may not just be a virus. Most of us, if we’re honest, have probably been guilty of thinking that if our PC gets infected with something, it’s not that big of a deal—that’s what our IT department is for, after all. They’ll have whatever the latest nasty bug we’ve contracted wiped from our machine and we’ll be back on track in no time… right? Wrong. These things are not named after scary critters for no reason—they are serious and have serious implications. Think about the effect financial malware can have on your personal finances or to your small business’s network immediately upon download.
  2. Control access to your machine. Think twice before walking away from your computer to get that third cup of coffee without first locking it. Even worse is leaving your machine unattended in public, or in the backseat of your car during happy hour. Malicious physical access to devices can be an overlooked attack vector. It’s amazing how quickly files can be dumped or unintended access to sensitive information gained during a quick few minutes away from your machine.
  3. Trust but verify: if it sounds too good to be true, it probably is. Don’t fall prey to schemes that play on your natural inclination to trust. Being trusting is not necessarily a bad thing, but it’s important to verify before taking action. Be wary of things like employment offers to make a quick buck, claims that you are a lucky winner of something, or limited time offers to cash in on an opportunity. Simply put: if it sounds too good to be true, don’t be too quick to believe it.
  4. Don’t use insecure Wi-Fi or unknown machines for banking. Sensitive online activity, such as online banking, should only be conducted from a device that belongs to you on a trusted network. Paying a few bills while you’re sipping your favorite latte at a local coffee shop may seem innocent enough, but what do you really know about others who are connected to that public Wi-Fi? Sniffing traffic on a public Wi-Fi connection can be shockingly simple, and can leave everything you are doing on that network free for the taking.
  5. “TMI” – Don’t overshare on social media. We may all be guilty of sharing too much information (TMI) at times. Don’t let social media be your outlet for sharing “TMI” about yourself to millions of people all over the world. Social media outlets are information gold-mines for anyone who may be looking to learn more about their next victim. Knowing where you vacation, the name of your pet, and your mother’s maiden name may come in quite handy for someone attempting to impersonate you.
  6. If you’ve got it, update it. If you don’t need it, delete it. Updating your software is not something you should do only when your machine slows to an unbearable crawl because it hasn’t been updated in months. Installing the latest versions of software ensures that what you are running has the latest security patches and keeps you protected. Update your software as soon as new releases are announced, and delete any unnecessary programs on your devices that you don’t need in day-to-day business. Installing lots of nonessential software just provides increased exposure points for you and your information.
  7. Scrutinize your email. Many of us comb through hundreds of emails every day, and clicking through and opening these emails is second nature. However, email is one of the most common attack vectors and is a quick and easy way for attackers to drop malware onto your PC or mobile device, or to trick you into providing sensitive information. Pay close attention to any emails that appear to come from slightly odd senders, and be extremely wary of any email requesting you to provide or confirm sensitive information. Your financial institution should never ask you to confirm or provide any type of personal information via email. Report suspicious emails to your employer and delete them completely without opening or clicking any contained links.
  8. Be mindful of what you plug in. Throwing files onto a USB drive can be a quick and easy way to share information. However, it’s also a quick and easy way to spread malware. Only plug removable media that you know and trust into your devices, and never share these storage devices amongst multiple parties.
  9. Knowledge really is power. When it comes to online banking, it pays to be in the know. Use your financial institution’s real time alerts to keep yourself aware of anything that is going on in your account that may not be normal. Setting these alerts to deliver to multiple targets (voice calls, SMS text messages, and email) can help ensure their safe and quick delivery. Notify your financial institution immediately if you receive an alert regarding activity you did not generate.
  10. Get away from the “that can’t happen to me” mindset and prepare yourself. Live by the adage that it’s better to be safe than sorry. Believing that “it can’t happen to you” is a very risky position to take. Educate yourself on security precautions that you can take to prevent yourself or your business from becoming a victim. Work to spread the word of online safety to your friends, colleagues and families and be proactive in putting security measures into place.


Cyber security and the threat landscape are constantly evolving, and keeping your institution and your account holders as secure as possible requires their participation. Use October to stress the importance of cyber security and remind your account holders of their own role in keeping themselves safe.

When trust turns sour: The threat of social engineering attacks to your institution

Tips to building a successful defense strategy

Hunter S. Thompson once said, “I am a generous man, by nature, and far more trusting than I should be. The real world is risky territory for people with generosity of spirit. Beware.”

This quote could not be truer or resonate more today, especially when discussing the topic of social engineering attacks in the financial sector.


“The real world is risky territory for people with generosity of spirit” is incredibly accurate if you think about it. The unfortunate truth is that, as humans, our natural inclination is to trust and to look for the good in people—particularly in the case of individuals working in customer service positions. Unfortunately, this makes us easy prey for fraudsters. Trusting, helpful human spirits are the low hanging fruit. Attacks aimed at humans don’t require an attacker to place malware on a device or inject anything into a browser—often all it takes is a simple phone call into the back office. With just a few nuggets of information about an end user, fraudsters often have all of the necessary tools to convince a financial institution’s (FI’s) employee to readily “help” them.

While we all would like to think that our staff will not fall for such schemes, I’d caution that the shift in transaction amounts occurring in such attacks are raising fewer and fewer eyebrows. Why? In many cases fraudsters are moving toward initiating smaller transactions—generally less than $10K—rather than high-dollar amount wires, so as not to gain unwanted attention. These smaller dollar amount transactions are bounced through multiple mule accounts before ultimately leaving the country.

Particularly where social engineering is concerned, we have seen a 63 percent increase in fraud cases reported to Q2, when comparing only the first quarter of this year to all of 2014. That’s a dramatic upsurge in just three months, as compared to
the prior 12.

At a high level, these reports consist of phone calls, faxes or emails into the back office attempting to generate transactions or change sensitive information on an end user’s account. And, with the amount of personal and company information available and accessible on the internet, the reality is that these scams are not difficult to pull off.

As we look to the future, a combination of factors will continue to contribute to fraudsters’ use of social engineering as an attack of choice, to name just a few:

  • The shift toward Europay, MasterCard and Visa (EMV), and the reduction of fraud via the reselling of reproduced cards.
  • The continued evolution of anomaly detection anti-fraud tools catching transactions generated online.
  • The fact that these attacks really are just too easy, as they rely simply on trusting human nature.


Building a successful defense strategy for these types of attacks ultimately comes down to consistent training and testing of employees’ reactions to a variety of challenging scenarios. The Q2 Security team has built a targeted, customized Social Engineering Testing service designed to pressure employees in scenarios we’ve seen used in actual fraud cases. The reality is that we truly don’t know how staff will react to these types of schemes until they are faced with the situation in a real-world scenario. Trust itself is not a bad thing, however, encouraging a culture of “trust, but verify” may just pay off in the long run.

What cyber security lessons were learned in 2014?

Arguably, 2014 will be remembered as a year that left its mark on the state of cyber security across the industry. From massive retail data breaches to cyber attacks waged by nation states against organizations, the widespread impacts led to unprecedented repercussions. These types of attacks can cause brand damage, increased audit scrutiny and significant loss of market share. Let’s take a closer look at what we saw in 2014.

Massive Retail Breaches

2014 was a record year for retail data breaches – at least in terms of number of records lost. Between Home Depot, Target and JP Morgan Chase, nearly every American felt the impact in some way, shape, or form. And while the large retailers occupied the mainstream headlines, a slew of small and mid-size retailers experienced similar breaches. POS (Point-of-Sale) systems became a popular target for criminals, as they obviously play a significant role in processing financial transactions. This, coupled with the increased demand for stolen credit cards, had a significant impact on the surge of malware targeting POS systems. Until merchants and manufactures get serious about securing these terminals and their networks, they will remain a rich target for cyber criminals.

Sophisticated Banking Trojans

An underground market once dominated by ZeuS, Carberp, Citadel and SpyEye has given birth to more advanced variants and copycats boasting additional functionality and capabilities. In 2013 nearly a million new banking malware variants were uncovered, which more than doubled the volume of the previous year.  Institutions amped up their security to protect against these threats, but the rise of banking malware continued into 2014 as fraudsters tried to stay one step ahead. Last year we were introduced to Kronos, Emotet, Dridex and Dyre. Although core functionality (e.g. stealing online banking credentials) still existed, these newer variants included enhancements in the form of anti-detection techniques and intelligent communication mechanisms.

Surges in Crypto-malware

Researchers observed a global surge in the occurrence of crypto-malware families such as CryptolockerCryptodefense and Cryptowall. Cryptomalware is a particularly sinister threat that encrypts data on a compromised device and then attempts to extort money from the victim in order to have the data decrypted. Across the world, we watched as crypto-malware targeted a wide range of victims, from state governments to small towns, and large corporations to the average consumer. Faced with really no other option, most victims reluctantly paid the demanded ransom, crossing their fingers and blindly trusting their data would be restored. Unfortunately, this wasn’t always the outcome.

Attacks Aimed at the Weakest Link

The threat of attack directed towards the human element of security had been predicted. Frankly, it continues to prove to be the easiest path of resistance and yields a high rate of success. Attackers are no longer “throwing the kitchen sink” in hope the victim bites at the phish. Instead, techniques evolved as social engineering efforts became more specially crafted, targeting the victim in a manner that increased the chance the victim would divulge information or perform actions that would be unlikely in ordinary circumstances. Well-planned attempts targeted the back office at financial institutions, and fraudsters impersonated legitimate customers and coerced victimized employees into approving fraudulent transactions.

2015 and Beyond

So, what does 2015 have in store? Not surprisingly, we should probably be hedging our bets towards more of the same. However, I strongly believe institutions can tip the scale of power in their favor. Security requires vigilance and accountability. The threats we face are too pervasive to allow us to believe we can prevent them all. Financial institutions must leverage the right technology solutions that not only help defend against these threats, but also provide real-time detection. Ideally, these solutions can improve our ability to not only respond, but also remediate all types of attack. Tipping the scale, we greatly improve our chances for winning this ongoing fight.

Heightened FI Accountability Should Fuel Relationship Resurgence among Commercial Clients

The recent TRC Operating Co. Inc. case is only one of several creating a ripple of increased fraud awareness across businesses and their financial institutions (FIs). While it takes the vested interest of both parties to assess risk, build the fortress, and maintain safe-keeping, who’s to blame when security is compromised?

TRC’s claim of  strictly being offered a username and password – and no further security controls – ultimately resulted in a $350K settlement paid by United Security Bank. So where is the line drawn?

Businesses do not receive the same protection against cyber fraud that are afforded to consumer banking customers under Reg E. While commercial customers are typically provided enhanced security solutions, they do not receive the loss protection piece that retail account holders do – limits losses to $50, if reported within two day. As such, it’s on FIs to provide “commercially reasonable security procedures” to their business clients.

Username and password clearly do not cut the mustard as a standalone security control for commercial customers – or for that matter, any customer. Institutions are not just accountable to provide strong security options; when litigation arises, they are now being asked to prove they have attempted to offer these solutions to customers, who can then decide their own fate. This was evidenced in the recent court ruling in St. Louis that found Missouri-based title company Choice Escrow responsible for over $400K in fraud losses, after it declined [in writing] to use the security controls offered by its bank.

That being said, fraud fault does not automatically fall on FIs alone. In reality the term “commercially reasonable” when referencing security procedures is subjective. Therein the shroud of blame should be shared – and preferably prevented or squashed through tightened business/banking partnerships.

In lieu of the recent lawsuits making headlines, business owners must remain vigilant and aware of the clear and present dangers that exist, and FIs must impart themselves as the trusted advisor. To help diminish some ambiguity for business and banking partners, the UCC provides the below guidelines as to the determining factors of the “commercial reasonableness” of a security procedure:

  • What are the wishes of the customer expressed to the FI?
  • What are the circumstances of the customer known to the bank – including size, type, and frequency of payment orders normally issued by the customer to the bank?
  • What are the alternative security procedures offered to the customer?
  • What security procedures in general use by customers and receiving banks can be updated?

While “commercially reasonable” will continue to evolve with the landscape, FIs need to make the leap to a proactive security approach. Not to mention, strengthening the relationships among FIs and their commercial customers will only reinforce the barriers we’re all building against potential fraudsters.

Combatting Fraudsters

What is the right approach as the attack landscape changes?

I often get asked about my thoughts on banking from mobile devices. There’s no doubt about it: increasing demand for banking on mobile devices has become a critical component of most financial institutions’ (FIs’) offering. But my concern is that I don’t think FIs or account holders fully appreciate the potential risks of banking on mobile devices. Risks that as a CSO, I see or hear about every day.

I know a lot of industry folk claim that security professionals often hyperbolize about mobile banking threats. But here is the reality: surprisingly many mobile banking applications are often designed without proper security controls built in. Even worse, perhaps the underlying mobile operating system has flaws in its design. Look no further than the recent Apple iOS security vulnerability as an example (oh by the way, make sure to get the latest iOS update for you iPhone users). And even when the apps have proper built-in security, it may not be enough. Why? Well, as we deploy more sophisticated controls, fraudsters also adapt their techniques. Couple insufficient security with the proliferation of malware attacking mobile devices, and you have a threat that is very real and will continue to grow, evolving from running up bogus charges from cellular carriers—which is minor in comparison—to the potential of credential-stealing and theft of financial data.

Theft of financial data from mobile devices, you ask? You bet. One of the methods we are beginning to see it is through the use of malicious quick reader (QR) codes. For example, fraudsters create fake ones to convince account holders to download “new security software” from their FI. What really happens is the account holder downloads malware onto their mobile device, which then waits to intercept an out-of-band (OOB) SMS one-time-password (OTP). Once obtained, fraudsters can login as the account holder or potentially use to approve a financial transaction. Yep, from the same out-of-band SMS OTPs that we all believe to be a secure method for countering attacks. And this is just one example.

But with the right approach, I know we can defeat fraudsters. This is why I’m so passionate with FIs about establishing a multi-layered security strategy, which focuses on the entire banking session, from login and authentication thru transaction submission. In the face of a myriad of threats, layered controls should be deployed to ensure a secure banking experience. Examples include the use of OOB OTPs and tokens, behavioral modeling to detect and prevent anomalies, multi-factor authentication, and the use of dual controls.

Why layered controls? This approach ensures the weakness of one control is compensated by the strength of another. And of course, these controls cannot be set and forgotten. They must be revisted as the attack landscape changes. My question to you: Is your FI investigating or using a multi-layered security approach? Implementing such a strategy will go a long way towards mitigating threats.

Check out the most recent issue of Credit Union Magazine where my fellow security colleagues and I further discuss combatting mobile threats.

A Factor of Two

The password is dead. At least, so they say – the headlines anyway. And if you haven’t seen them, you may not be paying attention. From the 2011 Forbes article declaring “The Password is Dead”, to the December 2012 Wired Magazine cover story titled “Kill the Password”, to the recent 2013 American Banker report reiterating “The User Name and Password Are Dead. Now What?”. Houston, we clearly have a problem – one that requires solving.

Authentication processes that only rely on static values presented at each logon event are well known to be vulnerable to compromise. It only takes a single misstep to fall victim to malicious threats lurking in the inter-webs, keystroke-logging their way into your online life.

Is it surprising to see the rapid adoption of two-factor authentication by social and consumer sites such as Gmail, Yahoo!, Twitter, Evernote, Dropbox, PayPal, and so many others? Please explain: why wouldn’t you want to protect your online banking account with at least the same level of security protecting your Facebook account!? Struggling to understand why these online services are surpassing the adoption rates of technologies by banks, credit unions, and other financial institutions? Me too. Maybe what’s even tougher to accept is the number of financial institutions not even offering such enhanced authentication features to their customers? One barrier often cited is the fear institutions tend to have around customer attrition due to overburdening security hoops. I may have given you that one a few years ago, but two-factor authentication is becoming more of a standard offered in many online services, such as the popular ones listed above. Google recently introduced their two-factor authentication for Gmail users. With nothing more than a simple instructional video, Google rolled out this feature in “3 easy steps.” Quite possibly, banks and credit unions alike haven’t considered that such enhanced authentication features might be welcomed and seen as a benefit or differentiating advantage in the eyes of their customers and members.

Introduce the smartphone. Yeah, you know, that device nearly every one of us owns. You remember now – the one you have connected at your hip. Consider online banking, from a security perspective, and realize the opportunity a mobile device introduces. Then consider engaging that mobile device in authentication-based events – representing the “something I have” in the two-factor realm. Why would your institution not leverage this second factor? To send a real-time SMS message to authenticate a user at login? To initiate an automated call containing a one-time code to authorize a transaction? Or to validate a higher-risk activity using a randomly generated value from a soft token app? This added level of security could often be just enough to halt fraudsters perpetrating account takeover attacks. Sure, it has its weaknesses, such as a smart phone infected with a malicious SMS-stealing Trojan. But show me a technology that doesn’t have weaknesses. There isn’t. That’s why the best protection strategy is one that employs “multi-layered” security controls, to compensate for whatever weaknesses may exist in one control with the strengths of other controls.

It’s something I know. My Password. But it’s clearly not enough. Add to the equation something I have. A second factor.

Introducing the Elephant in the Room – The Challenge

Community banks and credit unions have protected account holders for a long time, but today armored walls are not enough — not with the popularity of the online channel.

While it is imperative that banks and credit unions offer a full lineup of banking services including online, mobile and voice to keep up with the growing demand, financial institutions also need to constantly reassess the challenges, issues and potential threats those channels present.

Contributing to the problem is that community banks and credit unions no longer know their accountholders as well as they once did. Consequently, few financial institutions have a good grasp of typical transactions for specific accountholders.

The issue is so important that it even garnered the increased attention of the federal government. The FFIEC on June 28, 2011 released updated guidance on how banks should guard against cyber-security threats. The original guidance offered by the FFIEC – a formal interagency comprised of the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS) –issued a set of guidelines back in 2005, titled Authentication in an Internet Banking Environment. They called on all financial institutions to improve their single-factor authentication processes – typically based on user name and passwords.

Since the guidelines were issued, numerous financial institutions added a second verification level for online transactions. However, in countless cases, the added measures have been largely superficial and barely reinforce authentication.

Despite the well-intentioned initial FFIEC mandate, fraud continues to grow exponentially while touching newer channels such as mobile banking that barely existed six or seven years ago. Since then, online risk and fraud issues no longer emanate from hackers creating chaos from their basements. Fraud is a big business and spawned by sophisticated organized crime factories aimed at stealing financial information. As a result of the more recent increases in online fraud within the banking industry, the FFIEC issued the new updated guidelines regarding online bank account security in an effort to further address the root cause of fraud.

There is a growing need for technology that intuitively knows accountholders normal transaction patterns, and then issues alerts when irregularities take place. The technology exists but deployment is often infrequent. Stay tuned to find out more about assessing security and how you can be prepared.

Introducing the Elephant in the Room – Online Banking Security

If your financial institution does not have risk and fraud concerns for the online banking channel then this blog series will not be of any assistance to you. Keep a look out the next few weeks for more information on security including the challenge, assessing security and being prepared.

First off, if your financial institution’s reputation does not matter then I have some suggestions for you. To start, have your account holders create passwords that are easy to remember such as:

1. Children’s or pets names

2. Birthdays

3. Simple number sequences

4. Or have them attach sticky notes next to their computer with the password

You see your very own account holder — too trusting, too frenzied, and sometimes too careless — is now the weakest link in the online banking process. Did you know that for every fifth person you know, one is infected?  Well at least their computer is. The Anti Phishing Working Group estimates that 17 percent of U.S. desktops are infected with some type of malware or password stealer. Microsoft recently proclaimed, “One out of every 14 programs downloaded is actually malware.” Talk about going viral!In regard to challenge questions, encourage they make personal information readily available on social networking sites and click on any unverified links. Maybe they can also misguidedly download Trojans with funny names like ZeuS (not the Greek god), Tatanga (not a dance), or Oddjob (not a James Bond nemesis). Just remember when it comes to online risk and fraud, when it happens, your account holders will likely look to your institution for answers.

The bottom line is that you cannot rely on anyone’s computer or online device being secure. For your financial institution, this means you could be a passive bystander, not wishing to panic your accountholders, or a proactive watch guard of their transactions with a few effective changes and the right partner.

Choosing the right options for online account security comes at a critical time. The number of households that use online banking grew to 72.5 million and those utilizing electronic bill pay grew to 36.4 million, according to a recent consumer survey. Usage is up because this channel is now the most preferred way for accountholders to interact and transact with a financial institution. At the same time, people are busier than ever and struggle to keep track of difficult-to-recall user IDs and passwords while protecting themselves at all times. Fraudsters realize this and take advantage of the growing popularity of the echannel to set their traps to commit fraud.

The archetypal Depression-era bank thief, John Dillinger was well known for his sophisticated social engineering schemes, which ranged from posing as a bank-alarm system salesman to pretending to film a “bank robbery scene” in order to stake out potential bank marks. For his efforts, Dillinger swiped several hundred thousand dollars from 1933-1934.

Compare that to the faceless ZeuS – called the ‘most dangerous Trojan virus ever created,’ according to some experts. ZeuS Trojans attack through “men-in-the-browser” agents that grab variables from a browser session, such as during online banking transactions that they use to steal information, or worse.

Financial institutions may not be held accountable for any financial losses today, but their reputational loss has no such limitations. Online banking is so crucial that once an institution’s trust is compromised, accountholders have no reason to stay. Consumers are used to 24/7 online service and they expect 24/7 protection (even from themselves). Simply put, community banks and credit unions could and should do much more to protect accountholders as well as their financial institution’s own standing.

Now that you know all of this, what should be your next step? Stay tuned for the next blog posts to find out!

Managing the Access to Our Digital Lives

Passwords. They’ve become an integrated component to how we function in our daily lives. They are designed for protection of privacy, and they represent a first line of defense in securing our digitals lives and cyber personas. And in some cases, our only defense.

Sending, receiving, emailing, accessing, transacting, purchasing, banking, subscribing, submitting, authorizing and social networking…just to name a few. As a result of the digital age and the growing number of interactions we have with electronic systems, I personally, am prompted for a password between 15-25 times each day – and sometimes in excess of 30.

As creatures that thrive on the euphoric principle of convenience, we often find ourselves constantly looking for ways to achieve more of it. While, at the same time, battling the perceived obstacles that seem to work against us and our quest to attain even more convenience(s) in our daily lives.

Translate this to how many of us view the obstacle of passwords. The number of daily online interactions that require our use of passwords is undoubtedly increasing. However, our tolerance for managing this growing mountain is endearingly low…. and that may be an understatement. As a result, we’ve gravitated towards a dangerous practice known as “password re-use”. Simply stated, our convenience is more important to us than our security. Agreed?

Look at the recent breaches of user passwords from services such as Facebook, Yahoo!, LinkedIn, eHarmony and other popular social-networking sites. Following these incidents, websites quickly surfaced publishing lists upon lists of these compromised passwords – and in many cases, usernames as well…which, in many cases, just so happened to be an email address.

Arguably, one could downplay the potential damage resulting from the unauthorized access to one of their accounts listed for the above sites. But, would you downplay the risk if one of these lists published your username and password for your online banking site? Absolutely not. And thus is the inherit problem that exists when re-using the same or similar passwords across online banking, social networking, and other e-commerce sites.

So, what measures can we be taking to help us avoid this problem and our tendency to opt for reusing passwords?

1. At a minimum, establish unique and complex passwords for use when accessing your online banking site. Inquire with your bank to see if they offer other factors for online authentication, such as tokens or OTPs (one-time passwords).

2. Use a personal passphrase instead of a single word, and build a password based on the words contained in the phrase or sentence. “Four score and seven years ago our fathers brought…” could be remembered as “4scanse”.

3. Consider a password management tool to help generate and store unique passwords for each of the sites you visit. Some of the most popular include RoboForm (my personal favorite), LastPass, and KeePass, to name a few. These tools will encrypt your saved passwords for safe online or offline storage and access.

Following such practices will reduce your risk of an attacker gaining access to your sensitive credentials. Only you can help yourself.